User Authorization

RIG supports the JSON Web Tokens (JWT) standard for authorizing users when forwarding HTTP requests, or when handling event subscription or submission requests.

Note that RIG does not do authentication - you will need to provide a service for that yourself. This means that RIG does not create any tokens on its own. Given a JWT, RIG only checks its validity, using a shared secret key or a public key, depending on the algorithm used. Please refer to the Operator's Guide for the corresponding configuration options.

Also note the following:

  • For incoming HTTP requests, JWT validation can be enabled on a per endpoint basis using the secured option.
  • Event subscriptions can be secured using JWT validation by setting SUBSCRIPTION_CHECK to jwt_validation.
  • Likewise, event submissions can be secured using JWT validation by setting SUBMISSION_CHECK to jwt_validation.

Again, refer to the Operator's Guide for details on those environment variables.

Key Length

For symmetric hashing (HS256, RS256), please make sure you are using keys of appropriate length, as described in the spec. For example, if you use HS256, your secret key should be at least 32 character (256 bit) in length.

Example

Example of a minimal JWT:

// Header:
{
  "alg": "HS256",
  "typ": "JWT"
}
// Payload:
{
  "exp": 99999999
}
Forwarding RequestsDistributed Tracing